Photographer: Daniel Acker/Bloomberg

E-Mail Spam Goes Artisanal

Scammers are turning to small-batch attacks to beat today’s more sophisticated e-mail filters.

When a group of hackers sought to steal iTunes passwords from Apple customers in France, they didn't spam the entire country. They sent out just 5,000 e-mails to French-speaking targets containing links to a fake login page.

The attack, which took place in October, was a success, at least by spamming standards. Most of the e-mails found their way to their intended recipients' inboxes, a rare occurrence with today's sophisticated spam filters. Agari Data, a cyber-security company that tracked the incident, said more spammers are adopting this kind of small-batch approach in the hopes of breaking through junk-mail blocking software.

As anyone with a Gmail or Yahoo! account knows, spam e-mail is mostly relegated to a folder you probably never check. Unlike the old days of the Internet, in-boxes are no longer clogged with poorly worded come-ons for Viagra pills and Nigerian banking scams. Modern anti-spam filters block more than 99.99 percent of junk messages.

Spam is still a big business. Unsolicited junk mail accounts for 86 percent of the world's e-mail traffic, with about 400 billion spam messages sent a day, according to Talos, a digital threat research division of Cisco Systems. While the vast majority will never see the inside of an inbox, the few that do worked hard to get there. "Spammers are getting much more focused, much more targeted, and this shows they are getting more concerned about quality," said Vidur Apparao, Agari's chief technology officer.

In the French iTunes case, attackers were able to operate their e-mail scam for eight hours before automated filters began to catch on, Agari said. They used e-mail accounts hosted through a small Belgian cloud company that wasn't a known offender on global threat lists. Attackers frequently use small hosting providers to execute their schemes because the companies often lack checks in place to catch fraudulent users, unlike, say, Amazon.com or Google, said Apparao. His company wasn't able to determine whether users clicked links contained in the e-mails, or how many were tricked into giving away passwords.

This increasingly popular technique is known in the industry as "snowshoe" spam. (The name refers to the small footprints it leaves.) This differs from the more commonly known spear-phishing attacks, which target specific, often-important people with personalized messages sent one by one. Craig Williams, a senior manager at Talos, said the amount of snowshoe spam has more than doubled in the past two years and now accounts for more than 15 percent of all junk messages distributed globally.

Snowshoe attacks continue to cause "severe" problems for spam filters, Cisco said. It's one of many vexing problems for the industry. Global spending on cyber-security technology is projected to surpass a record $83.6 billion in 2015, according to an estimate by researcher Gartner.

A separate attack, also in October, involved 169 e-mails targeting Italian PayPal users, Agari said. The messages came from a data-hosting company in France that hadn't been included on major blacklists before the attack. These e-mails, like most effective spam, didn't include attachments, which can be quickly scanned and flagged as malicious. Because Web links take longer to crawl, many filters don't bother.

As artisanal spam becomes a bigger problem, the cyber-security industry is pushing for adoption of new protections that could save our in-boxes. One, called DMARC, is a global registry that lets retailers and other companies register the servers they use to send the kind of mass mailers some people enjoy receiving. Messages purporting to be from those companies but coming from an unregistered address would get flagged. It's a compelling idea, but as with most proposed solutions, trying to get everyone on board has been costly and time-consuming.

Before it's here, it's on the Bloomberg Terminal. LEARN MORE